Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity

from the but-it's-ok,-we-already-blacklisted-the-50,000-rogue-operators-that-we-found dept

Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world's largest biometric database, India's Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:

The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.

According to the article, the patch can be bought for just Rs 2,500 (around $35). The easy-to-install software removes three critical security features of Aadhaar:

The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world -- say, Beijing, Karachi or Kabul -- can use the software to enrol users.

The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process -- so far around 1.2 billion people have been given an Aadhaar number and added to the database -- meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.

The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: "[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence." One of the Aadhaar tweets is as follows:

It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar's overall security and integrity, that seems unwise, to say the least.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 17 Sep 2018 @ 6:45pm

    Money causes they system to be sold...

    ...but no amount of money can fix the problems incurred.

    As has been stated many times, here on Techdirt and elsewhere, biometrics is is username, not a password. When the system uses biometrics as the password, and the 'password' becomes compromised, how in the hell does one change it? Fingerprint, eye scan, even a DNA sample (not available yet but I bet someone is working on it $$$) it is not changeable when compromised.

    Any entity that thinks biometrics is a reasonable way to allow access to anything needs to be investigated for their lack of thinking.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 17 Sep 2018 @ 8:04pm

    i wonder..

    If the USA and other countries were as BAD as we say other nations are..
    Couldnt we grab this data file and use all the data to create credit applications and SPEND all that credit??

    reply to this | link to this | view in chronology ]

  • identicon
    Mr Big Content, 17 Sep 2018 @ 8:51pm

    Software Patchers Are TERRORIST PORN PIRATES

    The answer is simple: just BAN these Unlicneced Software Patchers. Software SHOUDLNT BE ALLOWED unless its FULLY LEGAL! ENOUGH of all this FREE PIRATE SOTFWARE that is circluating around on Github and all these other Porn places. STOP RANDOM TOM DICK AND HARRY PEOPLE WRITING CODE NOW!!!

    reply to this | link to this | view in chronology ]

    • identicon
      Jon Smythe, 18 Sep 2018 @ 5:58am

      Re: Software Patchers Are TERRORIST PORN PIRATES

      I honestly don't know if you are being sarcastic, or are just a complete and utter nuttjob.
      Care to elaborate on how you plan on preventing people from writing code?
      Or what por has to do with github?
      Does porn scare you? Do you stay up late nights thinking about porn?

      reply to this | link to this | view in chronology ]

      • identicon
        James, 18 Sep 2018 @ 6:20am

        Re: Re: Software Patchers Are TERRORIST PORN PIRATES

        Obvious, has to be /s, no one is that crazy. Oh wait, it might be a serious post, does Chris Dodd (riaa/mpaa) post on this forum?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 18 Sep 2018 @ 7:32am

          Re: Re: Re: Software Patchers Are TERRORIST PORN PIRATES

          Mr Big Content has been providing his satire here for a while, funny stuff.

          reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 17 Sep 2018 @ 9:28pm

    Fail to address one concern, only to raise another

    It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

    With a system that valuable the fact that at least fifty thousand people who shouldn't have had access did they're hardly making it look better or more secure with that 'defense'.

    In addition the very important next question would be, 'of that fifty thousand, how many were blacklisted before they had a chance to make off with valuable data?' Because if they weren't stopped at the door then blacklisting them would very much be a case of shutting the barn doors after the horses escaped. Sure they can't access it again... with the same information/address... but if they already got what they wanted then losing that access isn't exactly going to do any good.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2018 @ 7:10am

    subvert the dominant paradigm, right?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2018 @ 7:35am

    Something something .. eggs in one basket

    The biometric cheerleaders will dismiss this as a nothing burger.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.